Howver, before I did anything on the switch, I simply plugged my ntop server in and fired up ntop. To my suprise, I instantly see 3+ pages of hosts, and thousands of packets. How is ntop seeing this?

I have verified that no monitoring exists on the switch (run as en):

cs1.pvdc#show monitor
No SPAN configuration is present in the system.

My ntop server is Ubuntu 8.04, I haven't done ANY configuration, I just installed the ntop package. This is also a fresh Ubuntu install.

Is there anything else on my switch besides "monitor" that might cause my switch to mirror all its traffic like this? I've tried plugging ntop into different ports with the same results.

UPDATE: It appears to be more then just broadcast traffic showing up in ntop, for example, I can see when my IPs have talked to the DNS server or generated HTTP traffic. If my switch is misconfigured, can anyone point me in the right direction towards rectify this? Not a Cisco expert.

3 Answers
3

What kind of packets are you seeing? In general I've found that a good size network will inevitably have a lot of broadcast chatter. Things like NetBios announcements and ARP requests. What you shouldn't see is any point to point to point traffic. Look at the source and destination IP/MAC addresses. If you are seeing specific point to point traffic then there is possibly a configuration problem with your switch.

Also, it would be good to turn spanning-tree port-fast on each of your access ports of the switch because this will prevent the mac-address table from getting flushed when a port goes up/down. Which is usually the cause of switches flooding packets.

This would change the time an entry stays in the switche's table allowing it to remember addresses longer and limit unicast flooding.

The other command to use is the one I mentioned above spanning-tree port-fast. You should enable this on each interface that does not connect to another switch. This will have 2 benefits: First, it will speed up the time it takes to plug in a new computer, Second, it will also keep the switch from flushing the MAC table when it thinks there is a topology change (a feature of spanning tree).

Note: The SPAN will monitor A to B and B to A traffic on one port. If you have full duplex 2x 100 Mbit, the overall traffic between A and B can't exceed the network speed 100 Mbit before packet loss occurs. This shouldn't be a problem with a gigabit switch.

In this configuration, the sniffer only captures traffic that is flooded to all ports, such as:

Unicast flooding occurs when the switch does not have the destination MAC in its content-addressable memory (CAM) table. The switch does not know where to send the traffic. The switch floods the packets to all the ports in the destination VLAN.

If you have a very large lan, then check the size of you swtiches mac table storage. If you overflowing a lot, then you switches will start to flood.

I've seen this problem with a network that has a core switches that had been configured to
filter layer 2 multicast packets, which lead to incomplete mac tables on many of the access switches.

If you have physical access to the switch, switch it's diagnostics led's to traffic mode, you should see an even distribution of activity on every port (show's even traffic distribution). If there a lot of synchronisation , then there's a lot of flooding going on. If all switches are the same , then you mac table learning problem.